« SSL Labs Grading Redesign (Preview 1) | Main | Announcing Bulletproof SSL and TLS, the 2017 revision »

Bulletproof SSL and TLS, three years later

July 04, 2017

The last time I wrote about my book Bulleproof SSL and TLS was two years ago, just after publishing the first full revision. Although two years is a long time to go without a blog post, throughout this period I continued to work on the book, keeping it nearly-always up to date. Today, three years after the first edition had been published, the second formal full revision is complete. At the same time, I am announcing that the first edition won't see any further updates—all future work will go toward the second edition. I will talk more about that in a future blog post.

Please note that updating the printed book without a new edition potentially takes a long time. Online stores have their own inventories and multiple fulfillment centres, all of which may take a long time to clear. Thus, please don't expect that you'll get a printed 2017 revision when you buy the printed book now. In the worst case, you can read the 2015 revision and get the digital 2017 revision (we'll give it to you for free if you send us a receipt)!

Now, I could talk about the changes I made since the last revision, like SLOTH, DROWN, and Sweet32, but you can read about all those things in the book itself. What I want to celebrate is the fact that, three years on, my book is still up to date. This is something I originally set out to do, something I couldn't achieve with traditional publishing, and I am very happy that it's worked. But it hasn't been exactly easy.

When I first start working on a book, I allocate time for it and focus on it completely. Six months is a good amount of time, assuming enough research had been done previously. But not all books are equal. Working on the first edition of Bulletproof, I spent roughly five years on research and two years writing. After the first edition is released, you naturally go on to do other things. So a big challenge for me was to slow down with my other projects and find enough time to properly maintain the book. (In fact, as I write this, I am in the middle of launching my startup, Hardenize.) Although I managed, it was a constant struggle.

Another problem is that, when you're making many small changes over long periods of time, it's difficult to update every single place that needs it. You have to read and reread entire chapters to find all the missed places and fix them. That not only takes time, it's also quite boring.

There are other problems, too, for example the fact that you don't feel as enthusiastic about your work several years later, combined with the fact that the sales are not what they were during the first year.

As an aside, we didn't have any problems with the actual process. Since the beginning we had a fully automated workflow that continuously publishes the manuscript into all necessary formats. Thus, there was nothing to do to put the updates out there. We even have a solution for the proofreading and copyediting parts; our copyeditor, Melinda Ranking, was able to work on the changed parts only.

Back to the challenges, I think that they can all be solved by finding a sustainable business model for producing high-quality technical material. With Bulletproof SSL and TLS we had some good runs that lasted for a while, but they're slowing down. We have some ideas how we can improve the business side of our small publishing company and, generally, the hope is to align our interests with that of our readers. Now that the first edition is at the end of its life, we'll start work on the second edition.

MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.